This is the mail archive of the
cygwin-xfree@cygwin.com
mailing list for the Cygwin XFree86 project.
RE: XWin and multiple users
- From: Alexander Gottwald <Alexander dot Gottwald at s1999 dot tu-chemnitz dot de>
- To: cygwin-xfree at cygwin dot com
- Date: Mon, 24 May 2004 23:12:52 +0200 (MEST)
- Subject: RE: XWin and multiple users
- References: <NEBBKLAEEMDJBCGCCAOGGEEPDBAA.kris.thielemans@ic.ac.uk>
- Reply-to: cygwin-xfree at cygwin dot com
Kris Thielemans wrote:
>
> >
> > user startup $DISPLAY file in /tmp
> > -----------------------------------------------------------
> > Alice XWin :0 $OPTIONS localhost:0.0 /tmp/.X11-unix/X0
> > Bob XWin :1 $OPTIONS localhost:1.0 /tmp/.X11-unix/X1
>
> thanks!
>
> this brings me to the security scare that I mentioned a few months ago.
> Isn't it a bit strange/unsafe that /tmp/.X11-unix/X0 has read/write
> permissions for everybody? I observed that user A can (accidentally) launch
> an xterm on the display of user B (who launched XWin with that display), and
> so expose everything he (i.e. user A) has on that machine. Worse, he could
> maliciously put some X stuff on the display of the other. (Maybe even read
> some stuff?)
>
> why not set /tmp/.X11-unix/X0 etc to owner access only?
There is a second security layer builtin to X11. You can start XWin with the
-auth option and XWin reads authentication options from this file. Then only
clients are allowed to connect who know these credentials.
So the secure way is to
(1) create credentials
(2) store them in a file readable only to you
(3) add them to ~/.Xauthority
(4) start XWin -auth <file from 2>
(5) only xterm which has read access to ~/.Xauthority can connect
This has been discussed some time ago in the mailinglist and afair there are small
scripts available. Search the archives for md5sum. This should bring up some of them.
also seee man xauth, Xsecurity, Xserver for more details
bye
ago
NP: Allied Vision - Coaxial Hardware
--
Alexander.Gottwald@informatik.tu-chemnitz.de
http://www.gotti.org ICQ: 126018723